Hiring security staff is no easy task. The demand for IT professionals with security expertise far exceeds supply. In an effort to weed out unqualified applicants, hiring managers tend to rely on information security certifications. Unfortunately, a certification isn’t proof of an individual’s qualification any more than the lack of a certification indicates that an individual isn’t qualified for a position. With that in mind, here are five tips for using certifications to hire and develop security staff.
- Unlike, say, a doctor or lawyer there is no professional designation for IT security professionals. As a result, IT professionals look to certifications as a means of proving their knowledge in security. And, as luck would have it, there are certifications for nearly every aspect of information security. Hiring managers should determine what skills they are hiring for and map them to well-known security certifications. List these specific certifications in your job postings.
- According to Gartner, more than half a million individuals are certified across the world by the various information security certification programs. So while it may be helpful to use certifications to filter candidates, keep in mind that certifications are not a differentiator. Instead, look to communication and other business skills as differentiators.
- If certification isn’t mandatory to fulfill a role, then don’t make it a requirement for employment. Similarly, don’t randomly list security certifications in your job postings. It will only serve to confuse applicants as to what the job entails.
- Requiring certifications can raise the bar for security skills within the organization and encourage personal development. However, if you require staff to acquire and maintain certifications then you must be willing to support them in their efforts to do so. That means allowing them to take time off for training and renewal, and reimbursing certification fees.
- To encourage continuous learning, work with each employee to create a personal development plan that takes into account the team’s objectives and current skills gaps. Identify a certification that will satisfy these, and plan additional responsibilities that will enable the employee to use newly acquired skills.
Information security certifications require an investment from both the employee and employer. When approached strategically, both parties can benefit. Just be sure you both understand what you plan to get out of it.